CMS Emergency Preparedness Requirement



By Erika Ables, CHC, CHPC
Sr. Compliance Analyst, Availity

As you are likely aware by now, CMS’ final rule on Emergency Preparedness Requirements for Medicare and Medicaid Providers and Suppliers went into effect on November 15, 2016 and will be implemented on November 15, 2017. This final rule establishes national emergency preparedness requirements for Medicare and Medicaid participating providers and suppliers to plan adequately for both natural and man-made disasters and coordinate with federal, state, tribal, regional, and local emergency preparedness systems.

As outlined in the final rule, the goal is to “enhance patient safety during emergencies for persons served by Medicare and Medicaid participating facilities…” and goes on to state that “the final rule addresses the three key essentials we (CMS) believe are necessary for maintaining access to healthcare services during emergencies: Safeguarding human resources, maintaining business continuity, and protecting physical resources”. This new regulation will require that each of the 17 impacted provider and provider types have its own Emergency Preparedness regulations included into its set of conditions for certification and each provider and supplier must be in compliance with the new regulation in order to participate in the Medicare or Medicaid program.

It is also important to know that a cyberattack response needs to be part of your Emergency Preparedness plan because it may be an event that directly affects your agency operations. The U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR) has developed a cyberattack checklist that explains how your agency should respond if there is a cyber-attack. This is very helpful and critical information as you prepare to implement this new requirement. Your organizations Emergency Preparedness Plan must have four elements in order for it to meet the requirements of the regulation.  Those four required elements of the Emergency Preparedness Program are listed below and you can also read about each of them in detail in the Federal Register by clicking here.

The Four Elements of the Emergency Preparedness Program

  1. Risk Assessment and Emergency Planning
  2. Policies and Procedures
  3. Communication Plan
  4. Training and Testing

As the date draws near, it’s important that your entire staff is knowledgeable about this new regulation and the plan that your organization puts into place.  The key is to be able to use the new Emergency Preparedness Plan in the event of a real disaster and while the new regulation may seem a bit cumbersome initially, it could prove extremely beneficial in the most critical of times. While I’ve provided some of the resources available to you, I encourage you to review the numerous resources that CMS has put together and provided on their website.

[clickToTweet tweet=”CMS Emergency Preparedness Requirement” quote=”CMS Emergency Preparedness Requirement” theme=”style3″]

Additional Information:
CMS Memorandum Summary – Advanced Copy – Appendix Z, Emergency Preparedness Final Rule Interpretive Guidelines and Survey Procedures.
FEMA – Developing and Maintaining Emergency Operations Plans – Comprehensive Preparedness Guide (CPG 101)
Full List of Impacted Provider and Supplier Types –


  1. Hi Erika, I agree that it’s important for medical professional to know Emergency Preparedeness. Great article, it’s the first time I read about cyberattack response. Any resource about it?

Comments are closed.